overview
play

Overview Introduction Background Target Application Vulnerability - PowerPoint PPT Presentation

Aug 25, 2023 •164 likes •335 views

niversiteit van Amsterdam System and Network Engineering E ffectiveness of A utomated A pplication P enetration T esting T ools A LEXANDRE F ERREIRA H ARALD K LEPPE Overview Introduction Background Target Application Vulnerability

  1. niversiteit van Amsterdam System and Network Engineering E ffectiveness of A utomated A pplication P enetration T esting T ools A LEXANDRE F ERREIRA H ARALD K LEPPE

  2. Overview ● Introduction ● Background ● Target Application ● Vulnerability Scanners ● Test Results ● Conclusion ● Questions

  3. Introduction ● Are automated penetration testing tools effective? – What and how is automated with these tools? – How much manual intervention is required from the results? (false positives / negatives) – What are the most effective tools? – What level of effectiveness is acceptable / necessary to properly support pentesters?

  4. Background ● OWASP Top 10 Project ● What is a Penetration Test? ● What is a Penetration Testing Tool?

  5. Target Application ● Why a new application? – Other tools (HacmeBank, WebGoat, ...) – Known implementations ● How and which vulnerabilities are implemented? – Lets have a look!

  6. Target Application (2) ● SQL Injection – In URL and in HTML form ● Cross Site Scripting (XSS) – Stored and relected ● Cross Site Request Forgery (CSRF) ● Path traversal ● Failure to restrict URL access ● Printed error

  7. Vulnerability Scanners ● Tool selection – Both open source and commercial tools – Established tools – New players – Some tools: €10 000 per year

  8. Vulnerability Scanners (2) Commercial Open Source ● Acunetix ● Paros ● BurpSuite Pro ● Skipfish ● Core Impact ● w3af ● IBM AppScan ● ZAProxy ● NTOSpider ● ParosPro ● Qualys

  9. Vulnerability Scanners (3)

  10. Vulnerability Scanners (4)

  11. Test Results ● Low hitrate, differ from other research ● None of the tools “passed” this test

  12. Test Results (2) Vulnerability Failure to SQL SQL Printed Type Path Reflected Stored restrict Injection CSRF Injection error traversal XSS XSS URL (in HTML (in URL) message Tools access form) Commercial Commercial Commercial Commercial Commercial Commercial Open Source Commercial Commercial Open Source Open Source Open Source

  13. Test Results (3) ● Insufficient dataset to compare the tools generally ● Relying on crawling engines proves to be dangerous

  14. Conclusion ● Scanners are conditionally effective ● Nearly the entire scan can be automated ● Quite some intervention is required ● For our application: Skipfish + BurpSuite ● Necessary effectiveness

  15. Conclusion (2) ● Further research – Crawling abilities of different scanners – Selective scanning

  16. Questions n e ? g a r V Perguntas Въпроси Pytania Spørsmål ς ι ε σ F ή r τ a ω g e ρ n Ε

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2 Coin and card meters OVERVIEW PRESENTATION / 3 Making garages work better OVERVIEW PRESENTATION / 4 User interface and customer experience OVERVIEW

1.3k views • 24 slides
OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF park overview OVERVIEW PRESENTATION / 3 Coin and card meters OVERVIEW PRESENTATION / 4 Improving the customer experience at garages OVERVIEW

567 views • 25 slides
GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

National Taiwan University Department of Computer Science and Information Engineering GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin Phone Lin Ph.D. Ph.D. Email: plin@csie.ntu.edu.tw Email:

686 views • 41 slides
i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW

i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW

LGE UNICAMP The m i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW The m i c r o g u a r d ETHANOL s OVERVIEW The m i c Ideal conditions r o g Costs-benefits u a r d

1.39k views • 59 slides
Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95#

Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95#

Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95# Commissioner --BRYC Firefighter II, EMT-B, HTR & HZMT Tech City of Alexandria Fire and EMS Overview Overview Hyperthermia (Heat Related Injuries)

2.61k views • 31 slides
1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure

1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure

1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure Industry Business Model Hotels Overview Disclaimer This presentation does not constitute, or form any part of any offer for sale or subscription

808 views • 32 slides
HabaPalooza T EA M HYPERION COM M 362 A PRIL 29 T H 201 2 Overview Team Overview

HabaPalooza T EA M HYPERION COM M 362 A PRIL 29 T H 201 2 Overview Team Overview

HabaPalooza T EA M HYPERION COM M 362 A PRIL 29 T H 201 2 Overview Team Overview Project Overview Analysis Active Experimentation Question & Answer Team Overview Our Logo Our Tagline Our Mission Statement

1.09k views • 15 slides
Outbound Logistics Overview 1 Outbound Logistics Overview Outbound Overview Four

Outbound Logistics Overview 1 Outbound Logistics Overview Outbound Overview Four

Outbound Logistics Overview 1 Outbound Logistics Overview Outbound Overview Four Dedicated Outbound Carriers MPF Meijer Private Fleet 111 stores serviced in Michigan, northern Ohio, and Indiana. NTB Nationwide Truck

865 views • 15 slides
HabaPalooza T E A M H Y P E R I O N C O M M 3 6 2 A P R I L 2 9 TH 2 0 1 2 Overview Team

HabaPalooza T E A M H Y P E R I O N C O M M 3 6 2 A P R I L 2 9 TH 2 0 1 2 Overview Team

HabaPalooza T E A M H Y P E R I O N C O M M 3 6 2 A P R I L 2 9 TH 2 0 1 2 Overview Team Overview Project Overview Analysis Active Experimentation Question & Answer Team Overview Our Logo Our Tagline Our

934 views • 15 slides
An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese

An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese

An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese Agriculture Agriculture Agriculture characteristics S mall holdings L imited resources and L and Fragmentation. 2 Maltese agriculture in figures

1.04k views • 15 slides
Library Conversations: Talking with Users University of Rochester Overview Overview Used

Library Conversations: Talking with Users University of Rochester Overview Overview Used

Rebecca Bichel December 7, 2007 Library Conversations: Talking with Users University of Rochester Overview Overview Used anthropological & ethnographic Overview Overview methods Guiding research question: What do students

941 views • 44 slides
.NET Overview Objectives Introduce .NET overview languages libraries

.NET Overview Objectives Introduce .NET overview languages libraries

.NET Overview Objectives Introduce .NET overview languages libraries development and execution model Examine simple C# program 2 .NET Overview .NET is a sweeping marketing term for a family of products

388 views • 23 slides
1 Overview Overview Regional demographic overview Regional demographic overview Workforce

1 Overview Overview Regional demographic overview Regional demographic overview Workforce

1 Overview Overview Regional demographic overview Regional demographic overview Workforce supply analysis Regional demand for workers i l d d f k Balancing supply and demand Reviewing key cluster trends Key challenges

533 views • 39 slides
EZ Overview EZ Overview The Rapid Development Platform p p Muse EZ is a

EZ Overview EZ Overview The Rapid Development Platform p p Muse EZ is a

EZ Overview EZ Overview The Rapid Development Platform p p Muse EZ is a registered trademark of Future Designs, Inc . 1 Overview What is EZ? EZ RTOS Engine EZ Four Tier Hierarchy Reusable HAL and Device

600 views • 32 slides
Overview of the Reconstruction Overview of the Reconstruction Overview of Some Legal Issues

Overview of the Reconstruction Overview of the Reconstruction Overview of Some Legal Issues

Overview of the Reconstruction Overview of the Reconstruction Overview of Some Legal Issues Related to Puerto Ricos Debt Restructuring by Sergio M. Marxuach Center for a New Economy February 25, 2020 CNE Puerto Ricos Think Tank

347 views • 13 slides
Overview & Development Table of Contents 1 Simon Owen, CEO Business Overview

Overview & Development Table of Contents 1 Simon Owen, CEO Business Overview

2018 Investor Tour INGENIA COMMUNITIES GROUP Overview & Development Table of Contents 1 Simon Owen, CEO Business Overview Guidance Update Development Overview Latitude One Overview 2 Craig Shepherd, Project

247 views • 22 slides
Implementation of an Algorithm for Peer-to-Peer Collaborative Editing Damien Aymon Ecole

Implementation of an Algorithm for Peer-to-Peer Collaborative Editing Damien Aymon Ecole

Implementation of an Algorithm for Peer-to-Peer Collaborative Editing Damien Aymon Ecole Polytechnique F ed erale de Lausanne, Switzerland June 20, 2017 damien.aymon@epfl.ch (EPFL) ABTU Implementation June 20, 2017 1 / 28 Outline

518 views • 28 slides
Quality-centric design of Peer-to-Peer systems for live-video broadcasting Pablo

Quality-centric design of Peer-to-Peer systems for live-video broadcasting Pablo

Introduction QUALITY GOL!P2P Conclusions Quality-centric design of Peer-to-Peer systems for live-video broadcasting Pablo Rodrguez-Bocca Facultad de Ingeniera, Universidad de la Repblica. INRIA/Universit de Rennes 1, Rennes, France.

947 views • 68 slides
RBS Citizens Barclays Presentation Bruce Van Saun, Chief Executive Officer March 7, 2014 Note:

RBS Citizens Barclays Presentation Bruce Van Saun, Chief Executive Officer March 7, 2014 Note:

RBS Citizens Barclays Presentation Bruce Van Saun, Chief Executive Officer March 7, 2014 Note: Results reported on a US GAAP CFG legal entity basis to allow comparability with peers. RBS Group reported results were for US Retail and Commercial

280 views • 24 slides
Use of Annual Audits: Overview and Trends ASBCS BOARD MEETING MAY 13, 2019 1 Audit Background

Use of Annual Audits: Overview and Trends ASBCS BOARD MEETING MAY 13, 2019 1 Audit Background

Use of Annual Audits: Overview and Trends ASBCS BOARD MEETING MAY 13, 2019 1 Audit Background 2 Charter Audits A.R.S. 15-183(E)(6) and 15-914 Charter Audits Must Be Conducted by Independent Certified Public Accountant (CPA)

371 views • 34 slides
Penetration Testing Beginner Level PentesterUniversity By NetSecNow Disclaimer: Any and all

Penetration Testing Beginner Level PentesterUniversity By NetSecNow Disclaimer: Any and all

PentesterUniversity By NetSecNow Course Overview Penetration Testing Beginner Level PentesterUniversity By NetSecNow Disclaimer: Any and all information provided in this training series is provided at no risk to PentesterUniversity,

239 views • 7 slides
The Third Line of Defense in Cybersecurity Internal Audit and the University of California

The Third Line of Defense in Cybersecurity Internal Audit and the University of California

The Third Line of Defense in Cybersecurity Internal Audit and the University of California Cybersecurity Audit Team Overview 1. University of California and Internal Audit 2. Establishing the Cybersecurity Audit Team (CAT) 3. CAT

650 views • 23 slides
Continuous Application Security Testing Presented by:

Continuous Application Security Testing Presented by:

W14 Security Testing Wednesday, October 23rd, 2019 3:00 PM Continuous Application Security Testing Presented by: Josh Gibbs

306 views • 4 slides
World s first Machine- Based Penetration Testing Solution Take Control, Get CyBot CREST

World s first Machine- Based Penetration Testing Solution Take Control, Get CyBot CREST

World s first Machine- Based Penetration Testing Solution Take Control, Get CyBot CREST certified CREST Certified Cronus is the 1 st CREST certified Automatic Penetration Testing vendor One of top 12 tech companies transforming

611 views • 13 slides

More recommend